Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confluent Kafka Connect Service open-source image 7.6.0 Security issue #300

Open
harish-r22 opened this issue Apr 24, 2024 · 1 comment
Open

Confluent Kafka Connect Service open-source image 7.6.0 Security issue #300

harish-r22 opened this issue Apr 24, 2024 · 1 comment

Comments

@harish-r22
Copy link

The Confluent Kafka Connect Service open-source image version 7.6.0 introduces essential security enhancements to mitigate vulnerabilities identified within its dependencies. Below is a comprehensive list of addressed security issues:

ca-certificates (CVE-2023-37920): Low severity issue with a score of 9.1. Fix version not available.
okio-jvm (CVE-2023-3635): High severity issue with a score of 7.5. Fixed in version 3.4.0.
cryptography (CVE-2023-50782, CVE-2024-26130, CVE-2024-0727): High severity issues with a score of 7.5. Fixed in versions 42.0.0, 42.0.4, and 42.0.2 respectively.
curl (RHSA-2024:1601, CVE-2024-2398): Medium severity issues with scores of 5.3 and 7.5. Fixed in versions 7.61.1-33.el8_9.5 and not available.
expat (RHSA-2024:1615): Medium severity issue with a score of 7.5. Fixed in version 2.2.5-11.el8_9.1.
glib2 (CVE-2023-29499, CVE-2023-32611, CVE-2023-32665): Low severity issues with scores ranging from 6.2 to 6.5. No specific fix version available.
gmp (CVE-2021-43618): Medium severity issue with a score of 6.2. No specific fix version available.
gnutls (CVE-2024-28834): Medium severity issue with a score of 5.3. No specific fix version available.
netty-codec-http (CVE-2024-29025): Medium severity issue with a score of 5.3. Fixed in version 4.1.108.Final.
netty-codec-http2 (CVE-2023-44487): High severity issue with a score of 7.5. Fixed in version 4.1.100.Final.
reactor-netty-http (CVE-2023-34054, CVE-2023-34062): High severity issues with a score of 7.5. Fixed in versions 1.0.39 and 1.1.13.
krb5-libs, krb5-workstation (CVE-2023-5455, CVE-2024-26458, CVE-2024-26461, CVE-2024-26462): Medium to low severity issues with scores ranging from 6.5 to 7.5. No specific fix version available.
libcurl (CVE-2023-46218, CVE-2024-2398, CVE-2023-28322, CVE-2023-38546): Medium to low severity issues with scores ranging from 3.7 to 5.3. Fixed in version 7.61.1-33.el8_9.5 and not available.
libgcrypt (CVE-2024-2236): Medium severity issue with a score of 5.9. No specific fix version available.
libssh, libssh-config (CVE-2023-6004, CVE-2023-6918): Low severity issues with scores ranging from 3.7 to 4.8. No specific fix version available.
libxml2 (CVE-2024-25062): Medium severity issue with a score of 7.5. No specific fix version available.
libyaml (CVE-2024-3205): Medium severity issue with a score of 7.3. No specific fix version available.
ncurses-base, ncurses-libs (CVE-2020-19188, CVE-2021-39537): Low severity issues with scores ranging from 5.5 to 6.5. No specific fix version available.
commons-compress (CVE-2024-25710, CVE-2024-26308): Medium severity issues with scores of 5.5. Fixed in version 1.26.0.
jose4j (CVE-2023-31582): High severity issue with a score of 7.5. Fixed in version 0.9.3.
quartz (CVE-2023-39017): Critical severity issue with a score of 9.8. Fixed in version 2.4.0-rc1.
**spring-web
@janjwerner-confluent
Copy link
Member

@harish-r22
Please review version 7.6.1 that has several of the issues resolved and note Confluent Security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@harish-r22 @janjwerner-confluent